This communication provides a transparent presentation of European instruments used to manage personal information for the purposes of law enforcement or migration management. It describes what information is collected, stored or exchanged about citizens, for what purposes and by whom.

ACT

Communication from the Commission to the European Parliament and the Council of 20 July 2010 – Overview of information management in the area of freedom, security and justice [COM(2010) 385 final – Not published in the Official Journal].

SUMMARY

The communication presents an overview of European Union (EU) level instruments that regulate the collection, storage or cross-border exchange of personal data for law enforcement or migration management purposes. It describes the main purpose and structure of these instruments, as well as the types of personal data they cover, the authorities that have access to these data and the rules for data protection and retention. It also sets out the main principles to take into consideration when designing and evaluating such instruments in future.

Instruments in force, under implementation or consideration

The current EU level instruments consist of those that aim to improve the functioning of the Schengen area and the customs union, such as the:

As to cooperation with non-EU countries to prevent and combat terrorism and other forms of serious transnational crime, the Commission has signed Passenger Name Record (PNR) agreements with the United States, Australia and Canada. However, the European Parliament is critical of the content of these agreements and has, therefore, requested the Commission to renegotiate them. The Commission has also signed an agreement with the United States on the transfer of financial messaging data (EU-US TFTO Agreement).

The Stockholm Programme action plan also includes initiatives that the Commission is to study, with a view to presenting a communication on their feasibility:

an EU Terrorist Finance Tracking Programme (EU TFTP), for facilitating data transfers from the EU to the United States;

an Electronic System of Travel Authorisations (ESTA), for facilitating the entry of non-EU nationals who are not subject to visa requirements;

a European Police Record Index System (EPRIS), for facilitating the location of information across the EU by law enforcement officers.

Analysis of instruments

Only six of the above mentioned instruments involve the collection and storage of personal data at EU level: SIS, VIS, Eurodac, CIS, Europol and Eurojust. The other instruments regulate the exchange or transfer of personal information that has been collected at national level. With the exception of SIS and VIS, these instruments have a single purpose. Similarly, the personal information collected may only be used for the single purpose defined by the instrument in question, except for that collected through SIS and VIS.

Access to information from instruments that aim at combating terrorism and serious crime is limited to the police and border control and customs authorities. Access to information from Schengen-related instruments is limited to immigration authorities and, in certain circumstances, to the police and border control and customs authorities. The information flow for centralised instruments is controlled by national interfaces and for decentralised instruments by national contact points or central coordinating units.

Set of core principles for future

There is a need to establish a set of core principles for future policy developments as well as for the evaluation of the current instruments. These should consist of substantive principles, such as:

the safeguarding of fundamental rights, especially of the right to privacy and personal data protection via “privacy by design”;

an assessment of the necessity of the new instrument in terms of its impact on an individual’s right to privacy and personal data protection;

compliance with the principles of subsidiarity and proportionality;

management of risk via risk profiles.

The set of core principles should also consist of process-oriented principles, such as:

cost-effectiveness, taking into consideration existing instruments;

bottom-up policy design, taking into consideration the interests of end-users;